• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

kobotoolbox / kpi / 29029441589
81%
master: 76%

Build:
Build:
LAST BUILD BRANCH: hugo/dev-1833-asset-permissions-single-fetch
DEFAULT BRANCH: master
Ran 09 Jul 2026 03:31PM UTC
Jobs 10
Files 893
Run time 3min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

09 Jul 2026 03:25PM UTC coverage: 81.382% (+20.2%) from 61.232%
29029441589

push

github

web-flow
fix(mfa): enforce 2FA when an authenticated user logs in as another account DEV-2111 (#7223)

### đŸ“Ŗ Summary

Signing in with a second account's credentials while already logged in
now signs you into that account (prompting for 2FA when enabled) instead
of silently ignoring the new credentials.

### 📖 Description

Previously, if you were already logged in and submitted a different
account's credentials on the login form, the new login was silently
discarded. You stayed logged in as your original account and never saw a
2FA prompt. Now the stale session is dropped so the new login completes
normally, including its two-factor challenge.

### 💭 Notes

- Root cause: `ACCOUNT_AUTHENTICATED_LOGIN_REDIRECTS` is disabled, so an
already-authenticated user can POST the login form for a *different*
account. When that account has MFA enabled, allauth defers the login to
its 2FA stage, but the `mfa_authenticate` view redirects any
already-authenticated request away (allauth's `login_stage_required`
decorator), silently abandoning the pending login and leaving the
original user signed in. `MfaLoginView.form_valid` now logs the current
user out (only when the submitted credentials resolve to a different
account, and only after they validate) so the new login and its 2FA
challenge run on a clean, anonymous session.
- Two regression tests added in
`kobo/apps/accounts/mfa/tests/test_login.py`: one reproducing the bounce
(asserts the 2FA challenge is reached and the stale session is dropped),
and one guarding that a *failed* login attempt does not drop the
existing session.

### 👀 Preview steps

1. â„šī¸ have two accounts: a regular one, and a superuser with 2FA (TOTP)
enabled
2. log in as the regular (non-superuser) account
3. navigate to `/admin/` — you get the login screen
4. enter the superuser's username and password
5. 🔴 [on main] you're bounced straight to the projects list, still
logged in as the regular user, with no 2FA prompt
6. đŸŸĸ [on PR] you're taken to the 2FA ... (continued)

9270 of 12614 branches covered (73.49%)

6 of 13 new or added lines in 1 file covered. (46.15%)

1 existing line in 1 file now uncovered.

30235 of 37152 relevant lines covered (81.38%)

5.52 hits per line

Uncovered Changes

Lines Coverage ∆ File
7
51.09
-0.13% kobo/apps/accounts/mfa/views.py

Coverage Regressions

Lines Coverage ∆ File
1
51.09
-0.13% kobo/apps/accounts/mfa/views.py
Jobs
ID Job ID Ran Files Coverage
1 29029441589.1 09 Jul 2026 03:31PM UTC 889
44.42
2 29029441589.2 09 Jul 2026 03:31PM UTC 889
52.93
3 29029441589.3 09 Jul 2026 03:31PM UTC 889
49.59
4 29029441589.4 09 Jul 2026 03:32PM UTC 891
54.2
5 29029441589.5 09 Jul 2026 03:33PM UTC 889
58.96
6 29029441589.6 09 Jul 2026 03:33PM UTC 891
50.93
7 29029441589.7 09 Jul 2026 03:34PM UTC 891
45.79
8 29029441589.8 09 Jul 2026 03:34PM UTC 891
66.63
9 29029441589.9 09 Jul 2026 03:35PM UTC 893
68.94
10 29029441589.10 09 Jul 2026 03:36PM UTC 891
60.12
Source Files on build 29029441589
  • Tree
  • List 893
  • Changed 278
  • Source Changed 0
  • Coverage Changed 278
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • 463d4163 on github
  • Prev Build on release/2.026.27 (#29028964036)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc